b'     Review of the Systems Development Life Cycle for End-User Computing\n                      Report No. 03-10, September 8, 2003\n\n                                     INTRODUCTION\n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) review of the\nsystems development life cycle for end-user computing at the Railroad Retirement\nBoard (RRB).\n\nBackground\n\nThe RRB administers comprehensive retirement/survivor and unemployment/sickness\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and Railroad Unemployment Insurance Act (RUIA). These programs provide\nincome protection to railroad workers and their families during old age and in the event\nof disability, death, temporary unemployment, or sickness. The RRB paid over $8.8\nbillion in benefits during fiscal year (FY) 2002.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand seven major application systems. The two general support systems are the data\nprocessing system, which supports all mainframe computing activity; and the end-user\ncomputing system, which supports the agency\xe2\x80\x99s local and wide area networks.\nSoftware applications in the end-user computing environment are accessed through\npersonal computers connected to the agency\xe2\x80\x99s local and wide area networks.\n\nThe systems development life cycle is an essential component of information\ntechnology governance and helps ensure that new applications are adequately\ncontrolled and address the needs of the RRB. The principle phases of the life cycle are:\n\n      \xe2\x80\xa2   Project Definition,\n      \xe2\x80\xa2   Requirements Definition,\n      \xe2\x80\xa2   Design,\n      \xe2\x80\xa2   Coding,\n      \xe2\x80\xa2   Testing, and\n      \xe2\x80\xa2   Implementation.\n\nThe General Accounting Office (GAO) has issued standards specific to information\nsystems development which include the documentation of requirements, authorizations\nfor undertaking projects, reviews and testing, and approvals before placing systems into\noperation. The Office of Management and Budget (OMB) has also instructed agencies\nto apply National Institute of Standards and Technology (NIST) guidelines to achieve\nadequate security over Federal computer systems.\n\nThe RRB has published internal procedures for the development of new applications,\nincluding Administrative Circular IRM-10, \xe2\x80\x9cEnd-User Computing: Network and\n\x0cMicrocomputer (PC) Management,\xe2\x80\x9d dated September 3, 1998; Administrative Circular\nIRM-11, \xe2\x80\x9cSecurity for Automated Information,\xe2\x80\x9d dated June 17, 1994; and the ADP\nStandards. These procedures provide guidance regarding each phase in the systems\ndevelopment life cycle and establish control requirements to support the confidentiality,\nintegrity, and availability of the information processed in the applications under\ndevelopment.\n\nIn general, the RRB\xe2\x80\x99s user bureaus initiate the development of new applications by\nforwarding a request to the Bureau of Information Services (BIS). BIS\xe2\x80\x99 E-Government\nServices section and representatives from the user bureaus cooperate throughout all\nphases of the development process.\n\nThe RRB\xe2\x80\x99s Office of Programs coordinates services to applicants and beneficiaries of\nthe RRA and RUIA programs, and more than half of agency employees are assigned to\nthat organization. The Office of Programs, as the largest of the agency\xe2\x80\x99s component\norganizations, submits the greatest number of requests for new computer applications\nand maintains a staff of system analysts to work with BIS program developers\nthroughout the systems development life cycle.\n\nThe RRB has established the development of a sound and integrated information\ntechnology architecture as a strategic element of its larger objective to use technology\nand automation to foster fundamental changes that improve the way the agency does\nbusiness. This audit directly supports this agency objective and will contribute to the\nannual OIG security evaluation mandated by the E-Government Act of 2002 (Public Law\n107-347), Title III, the Federal Information Security Management Act of 2002.\n\nObjectives, Scope, And Methodology\n\nThe objectives of this review were to assess:\n\n   \xe2\x80\xa2\t the adequacy of the RRB\xe2\x80\x99s methodology for the development and maintenance\n      of end-user computing applications; and\n   \xe2\x80\xa2\t the effectiveness of the RRB\xe2\x80\x99s efforts in incorporating security requirements into\n      the systems development life cycle.\n\nIn order to accomplish our objectives, we:\n\n   \xe2\x80\xa2   reviewed applicable laws, regulations, NIST guidance, and RRB procedures;\n   \xe2\x80\xa2   interviewed agency personnel responsible for systems development; and\n   \xe2\x80\xa2\t tested a non-random sample of 17 systems development projects for compliance\n      with applicable RRB policy and procedure, and external authoritative sources\n      such as NIST.\n\nWe selected the sample from a universe of 72 end-user computing development\nprojects, started or completed during FY 2002 and FY 2003, as identified by BIS and\n\x0cOffice of Programs-Policy and Systems. Because BIS could not provide a complete\ninventory of projects, the universe may not have been all-inclusive. The 17 sample\nitems were selected judgmentally by eliminating service requests that appeared to be\nroutine maintenance or of such limited scope that their execution would not be\nrepresentative of the systems development life cycle. Sixteen of the 17 projects\nreviewed had been requested by the Office of Programs.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objectives. Fieldwork was conducted at RRB\nheadquarters during October 2002 through June 2003.\n\n                                RESULTS OF REVIEW \n\n\nIn general, our review disclosed that the RRB does not have an adequate methodology\nfor the development and maintenance of end-user computing applications; and the\nagency\xe2\x80\x99s efforts to incorporate security requirements into the systems development life\ncycle have not been effective. Specifically, the lack of a comprehensive life cycle\nmethodology for the end-user computing environment has manifested itself in the\nfollowing weaknesses:\n\n   \xe2\x80\xa2   the agency does not have an effective project management program;\n   \xe2\x80\xa2\t the consideration of security is not fully incorporated into the systems\n      development life cycle;\n   \xe2\x80\xa2   authorization of new systems prior to implementation has not been ensured; and\n   \xe2\x80\xa2\t the testing and problem resolution phase of the life cycle is not comprehensive, is\n      too informal and is poorly documented.\n\nManagement has agreed to take corrective action in response to all of the OIG\xe2\x80\x99s\nfindings. However, BIS disagreed with our recommendation for development of a\nformal certification and accreditation process stating that the issue of non-compliance\nwith existing procedures should be addressed, and describing their planned actions.\n\nThe details of our findings and recommendations for corrective action follow. The full\ntext of management\xe2\x80\x99s response is presented as an appendix to this report.\n\nProject Management Needs Improvement\n\nInternal control over systems development in the end-user computing environment has\nbeen undermined by the lack of an effective project management system and the\nabsence of a quality assurance program.\n\nInternal control comprises the plans, methods, and procedures used to meet missions,\ngoals and objectives. Internal control, which is synonymous with management control,\nassists managers in achieving desired results through effective stewardship. The\n\x0cRRB\xe2\x80\x99s basic requirements for project management, as set forth in IRM-10, include\npreparation of a work plan that includes cost and resource estimates. Additional\nauthorizations and analyses may be required for major projects based on the cost and\nresource requirements developed during the planning phase of the project.\n\nDuring this review, BIS was unable to respond to auditor requests for an inventory of its\nworkload, the status of project development and the staff resources expended to date.\nOur detailed review of 17 end-user computing projects indicates that the systems\ndevelopment life cycle is marred by a lack of documentation for critical activities. Our\nreview disclosed:\n\n   \xe2\x80\xa2\t Nine projects that were not supported by a general work plan detailing required\n      tasks and staff resources;\n   \xe2\x80\xa2   12 projects that lacked cost estimates; and\n   \xe2\x80\xa2   two projects for which reliable estimates of staff time invested were not available.\n\nDuring our review, we identified a major project that had not been submitted to the\nInformation Technology Steering Committee (ITSC) for approval even though the work\nhad progressed beyond the stage at which one would have expected such approval to\nbe obtained. File evidence indicates that the project was expected to exceed the 1,000\nstaff hour threshold that mandated ITSC approval; however, no formal estimate of staff\nresources had been developed.\n\nWe also noted that the rationale for merging two new, smaller projects into an existing\nmajor project was not adequately documented, and that the paper trail of accountability\nfor project authorization is undermined by procedures that often result in conflicting\ndocumentation.\n\nThe systems development life cycle for the end-user computing environment is not\nsupported by a fully implemented project management system, manual or automated,\nthat identifies major process steps, triggers required actions, or records expenditures of\nstaff time. In addition, BIS has not implemented a quality assurance program to identify\nnon-conformances in the execution of existing procedural requirements. In April 2003,\nBIS published procedures for a limited quality assurance program. These procedures\nare not sufficiently comprehensive with respect to existing standards and the program\nas currently implemented does not include a back-end review of compliance with\nagency standards and procedures.\n\nAs a result of the lack of a comprehensive project management system and quality\nassurance program, the efficiency and effectiveness of the systems development life\ncycle has not been ensured.\n\x0cRecommendations\n\nWe recommend that BIS:\n   1. procure and install a new project management system;\n   2. \t implement a means to track the number of projects, the status of each project\n        and the staff hours invested for projects under development until a new project\n        management system is operational;\n   3. \t assess the feasibility of implementing a more comprehensive quality assurance\n        function;\n   4. \t implement the quality assurance program as presently designed including a\n        back-end review for compliance; and\n   5. \t implement a control to ensure that requests for ITSC approval are submitted\n        timely.\n\nManagement\xe2\x80\x99s Response\n\nManagement agrees and plans corrective action in response to each of the five\nrecommendations. BIS reports having completed requirements and selection of a\nreplacement project management tool; however, procurement is dependent on the\navailability of funding. In addition, they plan to implement controls to track project status\nand ensure that ITSC approvals are secured when required until a new project\nmanagement system is operational.\n\nBIS has agreed to study the scope and requirements of a more comprehensive quality\nassurance function and assess the appropriate level of staff and tools needed. They\nwill then make appropriate recommendations and proceed accordingly.\n\nBIS has advised that they are incorporating architecture and capital planning investment\ncompliance controls into the systems development life cycle in a staggered manner.\nThey are currently performing analysis on how they might implement additional reviews,\nincluding a post-implementation review.\n\nSecurity Has Not Been Integrated Into the Systems Development Life Cycle\n\nExisting procedures and controls are not adequate to ensure the consideration of\nsecurity in systems developed for the end-user computing environment in accordance\nwith existing agency requirements as set forth in IRM-11. In addition, the RRB has not\nimplemented a risk-based approach to authorization. We attribute these weaknesses to\nthe lack of a comprehensive certification and accreditation process. As a result, new\nsystems exhibit a lack of applied audit trails, weak authentication methods and poor\naccess controls.\n\nOur sample included two systems that were implemented without adequate access\nrestrictions. The developer of one system in our sample retained post-implementation\n\x0cresponsibility for some tasks that required him to access production data. Proper\nseparation of duties mandates that system developers work only outside of the\nproduction environment.\n\nWe also identified a system that had been implemented using shared user identification\nand password. Responsible management advised that this practice is contrary to\nagency policy; however, we were unable to identify formal standards or procedures\ncommunicating such a restriction.\n\nNon-Compliance with Existing Agency Procedure\n\nControls are not adequate to ensure compliance with existing agency procedure as set\nforth in IRM-11.\n\nIRM-11 requires the organizational unit requesting the systems development project to\ncomplete Form G-402, \xe2\x80\x9cSecurity Profile for Automated Application,\xe2\x80\x9d or its equivalent.\nForm G-402 documents who is responsible for the security of each automated\napplication, the sensitivity levels of the information handled by the application, and the\ncontrol techniques that have been implemented to protect the information.\n\nThe 17 projects reviewed during our audit included 13 projects that had progressed to a\nstage at which the consideration of system security should have been documented.\nOur review disclosed:\n\n    \xe2\x80\xa2\t ten projects that had been placed into operation for which Form G-402, or an\n       equivalent document, had not been prepared;\n    \xe2\x80\xa2   four of the ten projects had no documented consideration of system security; and\n    \xe2\x80\xa2\t security control weaknesses exist in four of the ten projects that had been\n       implemented without execution of Form G-402, or an equivalent.\n\nThe OIG previously identified the inadequacy of control over the preparation of Form\nG-402 in connection with the development of mainframe computer systems and\nrecommended that BIS develop a control to ensure the timely execution and\nmaintenance of Form G-402.1 Accordingly, no additional recommendation for corrective\naction is offered at this time.\n\nAuthorization Levels Are Not Commensurate With Risk\n\nThe RRB has not established an authorization policy that assigns responsibility for pre-\nimplementation authorization of systems development projects based on risk.\n\n\n\n1\n \xe2\x80\x9cReview of Information Security at the Railroad Retirement Board,\xe2\x80\x9d OIG Audit Report # 02-04, February\n5, 2002.\n\x0cIn a risk-based approach to the systems development life cycle, higher levels of\nmanagement authorize implementation of those projects that pose the greatest risk.\nThe assessment of risk is key to placing accountability for implementation at an\nappropriate level within the organization. Typically, the greatest risk is associated with\nmajor applications and the systems with which they interface or exchange data.\n\nCurrent agency procedure does not assign any authorization responsibilities to\nmanagement level employees. Typically, user analysts who have been involved in a\nproject\xe2\x80\x99s development and testing authorize implementation of completed systems on\nbehalf of that organization. Some of these authorizations were offered informally,\nsignatures were not always captured, and some had been transmitted by electronic\nmail.\n\nRRB Lacks a Certification and Accreditation Program\n\nCurrent RRB procedures are not consistent with trends in systems development which\ncall for implementation of a formal certification and accreditation program that places\nresponsibility for the acceptance of system security risk with higher levels of\nmanagement.2\n\nCertification is the comprehensive evaluation of the management, operational and\ntechnical security controls in an information system. Accreditation is the formal\ndeclaration of a management official that a system has been approved to operate at an\nacceptable level of risk. Through the accreditation and certification process,\nresponsible management formally acknowledges responsibility for both system security\nand future accountability for any adverse impacts resulting from breaches of security.\n\nOMB has highlighted the importance of the certification and accreditation process by\nrequiring Federal agencies and their Inspectors General to report on the number of\nsystems that have been certified and accredited.\n\nIRM-11 places responsibility for documenting the consideration of system security with\nsystem users and developers. However, the RRB has not formalized the consideration\nof system security in a comprehensive certification and accreditation process.\n\nRecommendation\n\n    6. We recommend that BIS develop a formal certification and accreditation process.\n\nManagement\xe2\x80\x99s Response\n\nManagement disagrees with the recommendation for a \xe2\x80\x9cformal\xe2\x80\x9d certification and\naccreditation process. BIS responded that, rather than develop new or changed\nprocedures, the issue of non-compliance with existing procedures should be addressed.\n\n2\n NIST is currently circulating draft standards for Federal certification and accreditation programs that\nspecify \xe2\x80\x9ca senior agency official\xe2\x80\x9d as the appropriate level of management (NIST SP 800-37).\n\x0cThey plan to monitor NIST\xe2\x80\x99s distribution of standards and guidelines related to the\ncertification and accreditation process. As these standards and guidelines become\nfinal, they will review them and consider whether a formal certification and accreditation\nprocess is needed.\n\nBIS acknowledges that security control weaknesses found in applications that have\nbeen implemented without documented security profiles indicate that security controls\nwere not considered and additional management controls are needed. They plan to\nissue revised procedures and designate an information system security officer for each\nmajor application and general support system.\n\n\nAuthorization Prior to Implementation Has Not Been Ensured\n\nInternal control is not adequate to ensure that all systems will be properly authorized\nprior to implementation.\n\nCurrent RRB procedure requires user testing and acceptance prior to implementation of\nnew systems and system modifications. Form G-872, \xe2\x80\x9cSign-off Sheet,\xe2\x80\x9d is used by an\nauthorized reviewer to accept or reject a final project. Form G-905, \xe2\x80\x9cRequest to Install\nSoftware onto Server,\xe2\x80\x9d is used to document authorization for installation of software, the\nperson responsible for the installation, and the date that installation took place.\n\nThe ten projects in our sample that had been placed into operation included one project\nthat had been placed into production without user testing and acceptance, and for which\nForm G-905 authorizing the software installation had not been prepared. It also\nappears that the system developer installed the application software, contrary to agency\nprocedure calling for adequate separation of duties.\n\nWe also observed that two projects had been placed into production prior to formal\nacceptance by the user organization, and an additional seven projects for which Form\nG-905 had not been prepared.\n\nRRB personnel have not followed existing procedures regarding the testing,\nacceptance, and authorization of projects prior to implementation. Additionally, RRB\npersonnel have not documented all end-user computing installations. In the absence of\nadequate controls to ensure compliance with agency requirements, unauthorized\nsystems or systems that do not meet the user\xe2\x80\x99s needs may become operational.\n\x0cRecommendations\n\nWe recommend that BIS:\n\n   7. \t implement a control to ensure all projects are tested, accepted and authorized by\n        the user organization prior to installation; and\n   8. \t implement a control to ensure that the installation process is properly\n        documented and executed only by authorized individuals.\n\nManagement\xe2\x80\x99s Response\n\nManagement agrees and plans to implement a control to ensure that applications have\nbeen tested, accepted and authorized by the user organization before BIS supervisors\nauthorize installation of applications and that the installation process is properly\ndocumented and executed only by authorized individuals.\n\nTesting and Problem Resolution Needs Improvement\n\nExecution of the testing and problem resolution phase of systems development in the\nend-user computing environment is not comprehensive, too informal, and not\nadequately documented. As a result, flawed systems may be placed into production.\n\nCurrent RRB procedures require pre-implementation testing of all systems. Users and\ndevelopers are required to develop a testing plan that addresses predetermined\nconditions derived from the program specifications and requirements document. The\nexpected test outcomes should be defined within the plan and compared to actual test\nresults. System developers are required to correct problems identified during the\ntesting phase. System users are required to test and formally accept the software prior\nto installation.\n\nThe RRB has no controls in place to ensure that:\n\n   \xe2\x80\xa2   test plans are properly developed and executed;\n   \xe2\x80\xa2   problems are identified and addressed; and\n   \xe2\x80\xa2\t documentation supporting the testing and problem resolution process is\n      maintained for subsequent review.\n\nOur sample of 17 system development projects included 10 that had been completed\nand placed into production and one project undergoing pre-implementation testing.\nRRB personnel had not maintained test documentation and/or test plans for seven of\nthe 11 projects. The four test plans that had been developed and submitted for review\ndid not meet established agency requirements because they were incomplete. We also\nobserved that the resolution of problems identified during testing was not formally\ncontrolled for three projects, including one for which the BIS developer did not return the\ncorrection to the user for verification and acceptance prior to implementation.\n\x0cOur review identified one system that incorrectly computes certain estimated\ntimeframes that are provided to annuitants concerning benefit changes under the\nRailroad Retirement and Survivors\xe2\x80\x99 Improvement Act. Pre-implementation testing\nperformed by the Office of Programs did not disclose the calculation error because\nmany possible input conditions were not tested. In that same project, test\ndocumentation of screen layouts differs from the layouts that are currently in production,\nindicating that changes were made after testing or that test documentation was not\nmaintained.\n\nAs a result of weaknesses in the testing and problem resolution process, the RRB is at\nincreased risk of implementing systems that produce inaccurate results and that may\nnot meet the user\xe2\x80\x99s needs. In addition, the lack of documentation deprives the agency\nof a starting point for the oversight of system security in a comprehensive certification\nand accreditation process.\n\nRecommendations\n\nWe recommend that:\n\n   9. \t the Office of Programs implement a control to ensure user testing is fully\n        documented, including complete test plans and results; and\n   10. BIS implement a control to ensure developer testing is fully documented,\n       including complete test plans and results.\n\nManagement\xe2\x80\x99s Response\n\nManagement agrees. The Office of Programs plans to provide additional training to\ntheir analysts. BIS plans to address issues specific to developer testing during their\nongoing process of modifying the current system development life cycle to allow for\nmethodologies specific to e-government solutions.\n\x0c\x0c\x0c\x0c\x0c'